Guide

How to Secure Your WordPress Admin Area

The WordPress admin area controls everything — protecting it properly is the highest-value security work you can do.

WordPress powers a huge share of the web, which makes its login page one of the most attacked addresses on the internet. Almost every WordPress site gets probed daily by bots looking for a way in.

Securing wp-admin is not complicated, and the effort is wildly out of proportion to the protection it gives. Here is what we recommend for every WordPress site we look after.

Start with the basics

Never use the username admin. It is the first thing every bot tries, so removing it instantly halves their odds. Create a new administrator account with a different name, then delete the old one. Pair it with a long, unique password stored in a password manager.

Turn on two-factor authentication so that even a stolen password is not enough to get in. For a business with several people who can log in, this is non-negotiable — one weak personal password should never put the whole site at risk.

Limit who can reach the login

Rate limiting and login lockouts stop repeated guessing. Many sites go a step further and restrict the admin area to known IP addresses, or hide the login URL so the bots cannot find it in the first place.

Review your user accounts regularly. Old staff, former freelancers, and unused accounts are all potential ways in. Everyone who can log in should have only the level of access they actually need — not everyone needs to be an administrator.

Keep the foundations solid

A locked front door is no help if the walls are crumbling. Keep WordPress core, themes, and plugins updated, because most successful hacks exploit known weaknesses that a patch has already fixed.

Add a web application firewall to filter malicious traffic, and make sure you have reliable backups. If the worst happens, a recent backup turns a disaster into an inconvenience. These measures work together — no single one is enough on its own.

FAQs

Common questions.

Will hiding the login page break anything?
No, it simply changes the address you use to log in. You and your team use the new URL; the bots that guess the standard one find nothing.
Do I really need two-factor on a small site?
Yes. Small sites are attacked just as relentlessly as large ones, usually by automated bots that do not care how big you are.
How do I limit how many times someone can try to log in before being blocked?
We add a login attempt limit to every site we build, which automatically locks out anyone who gets the password wrong too many times. It takes minutes to set up and stops the most common brute-force attacks dead in their tracks.
How we can help

Turn this into action.

The services behind this guide.

Related guides

More on website care & tech.

Want a hand putting this into practice?

Book a free, no-obligation consultation with a Norwich-based specialist.

Book a free consultation
Get started

Let's put your business in a better light.

Book a free, no-pressure consultation. We'll talk through your goals and tell you honestly what we'd do — whether you work with us or not.

  1. 01
    Tell us a bitFill in the form — two minutes, tops.
  2. 02
    We'll call you backWithin one working day, no pressure.
  3. 03
    Get a clear planHonest advice and a fixed quote.

Free · No obligation · We reply within one working day

Book a free consultation